IT Grids Aadhaar data theft case may be the biggest ever in India: Experts

HYDERABAD: The IT Grids case may not be the first FIR filed on the basis of a complaint by the Unique Identification Authority of India (UIDAI) but the magnitude of the case is huge according to data security researchers. The case pertaining to the Sevamitra app designed by the company for the Telugu Desam Party (TDP) alleges that the app contained the Aadhaar data of 7.8 crore citizens. The special investigation team (SIT) on the case suspects that the accused had accessed the data from the UIDAI’s Central Identified Data Repository or the State Resident Data Hub (SRDH).

Since the introduction of the Aadhaar Act in 2016, over 30 FIRs have been lodged across the country for the violation of the Act. “The Ministry of Electronic and Information Technology informed parliament in December, 2017 that UIDAI has filed 30 FIRs in a year for violation of the Aadhaar Act, 2016. In 2018 and 2019 more cases may have been filed. In the IT Grids case, it is alleged that the Aadhaar data of two states have been misused. There have been instances of Aadhaar detail leak of 4.5 crore citizens of AP…” data security researcher Srinivas Kodali told TOI. The UIDAI had filed a complaint on April 12 at the Madhapur Police Station following a report by the Telangana Police. “Investigation so far revealed Sevamitra application is suspected to be using stolen voter information along with Aadhaar data of the state governments of Telangana and AP for voter profiling, targeted campaigning and even deletion of votes,” said the report submitted by the Telangana Police SIT to the UIDAI. “Availability of unique information of Aadhaar indicates the accused might have illegal access CIDR and SRDH. Having such sensitive database indicate that the in a removable storage is a violation of the Aadhaar Act,” the SIT said in its report. The SIT also reported that IT Grids had hosted the database related to Aadhaar numbers and related identification information on Amazon’s web services which is a contravention of Section-44 of the Aadhaar Act. As per the forensic investigation by Telangana State Forensic Lab: “The structure and size of the database of Sevamitra app are similar to the database that could have been originally owned by UIDAI.” UIDAI officials on their part said that the the core Aadhaar biometric data stored in the Central Identities Data Repository is never shared with any entity. “Aadhaar data is stored in CIDR of UIDAI in an encrypted format. So far, no incidents of breach in security with respect to Aadhaar data have been reportedfrom the UIDAI CIDR,” a UIDAI official said.